Why comply? Europe’s GDPR, UK’s Data Protection Bill and your enterprise
By Patrick Kerpan September 29, 2017 Originally published in IT Pro Portal
There are new legal frameworks for data protection being enacted in the UK and across Europe that impact every multinational company.
Beginning May 25th 2018, all companies that do business in Europe, or handle any EU citizens’ personal data, must abide by the General Data Protection Regulation (GDPR) or face huge fines: €20 million ($27,147,800.00 USD) or 4 per cent of worldwide annual gross revenue, depending on the violation.
If you think the GDPR rules won’t impact you or your enterprise, think again. Even if your company is not located in the EU, your data in the cloud might include information on a “data subject.” In 2018, enterprises will have to meet the strict data security measures for data privacy compliance set by the GDPR, no matter where a company’s servers are hosted.
“The GDPR will affect not only EU-based organisations, but many data controllers and processors around the globe,” said Bart Willemsen, research director at Gartner.
The EU’s GDPR
The EU’s GDPR laws are being enacted to protect EU residents’ personal data. The new UK Data Protection Bill requires any organisation that collects or manages personal data to be accountable for that data.
According to the GDPR mandate, enterprises must detect, defend, and ensure all data collection, storage, and management prioritises end user privacy rights. Any organisation that deals with high-risk data processing must protect that data and allow end users to remove and transport their data.
The UK’s Data Protection Bill
On September 14th, 2017 the UK published the Data Protection Bill. The Data Protection Bill is designed to enact the GDPR into UK law. The Bill is very similar to the GDPR – it includes the famous “right to be forgotten” data removal requirements, “explicit consent” for collecting new data, and “data portability” for moving data between providers. Another key similarity is the concept of “privacy by design/default.” organisations must build applications and systems with data privacy protection built in.
Unlike the GDPR, the UK law sets the national data protection regulator as the Information Commissioner’s Office (ICO). The ICO will have the power to defend consumer interests and issue higher fines. organisations that do not properly protect personal data or fail to report security breaches can be fined up to £17 million or up to 4 per cent of their global turnover. Previous laws set the maximum fine at £0.5 million.
From the UK Government, the Data Protection Bill intends to:
● make it simpler for users to withdraw consent for the use of personal data;
● allow people to ask for their personal data held by companies to be erased;
● enable parents and guardians to give consent for their child’s data to be used;
● require ‘explicit’ consent to be necessary for processing sensitive personal data;
● expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
● update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
What about the USA?
“The new (GDPR) law will usher in cascading privacy demands that will require a renewed focus on data privacy for US companies that offer goods and services to EU citizens” – Jay Cline, PwC’s US Privacy Leader.
Price Waterhouse Cooper announced 92 per cent of US CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs in multinational corporations are prioritising GDPR compliance.
In their January 23, 2017 press release, PWC stated “Survey results also found that information security enhancement is a top GDPR initiative. While much of the discussion has focused on the law’s privacy-centric requirements, information-security obligations figure prominently in GDPR plans of US companies. Among the 71 per cent who have begun GDPR preparation, the most-cited initiatives in flight are information security, privacy policies, GDPR gap assessment and data discovery.”
Data also indicates 68 per cent of the US multinational companies surveyed have plans to invest $1-10 million on GDPR compliance. Enterprises with hundreds of applications and proprietary data in the cloud can expect to invest $10 million or more to comply with GDPR responsibilities.
How can organisations comply?
One of the big benefits of GDPR will likely cause the most headaches: full organisation involvement. This cross-functional exercise should involve legal, risk and compliance, IT, and security departments. Involve teams from both technical and business perspectives.
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.
Next, teams from multiple departments should compare data policy and procedures already in place. An in-depth audit of policies can help reduce the burden of beginning a new data protection policy later on. The upfront work of comparing compliance standards now will save efforts in the future.
Assess your organisation’s requirements. Changes in GDPR include added protections for children, the “right of erasure” and new timelines for consent for data collection. Under GDPR, an individual has the right to request information from a company within 30 days and the data must be in electronic format. Likewise, the rules on data portability will require forethought about how data are being managed currently.
Hire a data protection officer. The GDPR requires a data protection officer (DPO) to coordinate reporting with the EU and manage data requests with data subjects. This DPO will manage the Data Subject Access Request (“DSAR”) Systems to coordinate data subject’s request for access, erasure, correction or portability. For all private sector enterprises, a single point of contact can manage IT processes, data security, and business continuity processes.
What can you do today to prepare?
Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access management tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.
For organisations with large amounts of data and data that travels between networks, adding encryption in-transit to any existing encryption best practices is essential. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.
Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.
- data controller (organization that collects data)
- data processor (organization that processes data , including cloud providers)
- data subject (person)
- NOTE: The UK’s decision to leave the European Union will not affect the commencement of GDPR.
2. Know how to apply it.
- Data protection by design. Article 25 requires organisations to design data protection into business processes to protect personal data.
- Data privacy. GDPR requires “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.
- Data removal. EU citizens (data subjects) have the right to request their data be erased from organisations. This is a revision of the “right to be forgotten” concept proposed in earlier drafts.
- Data portability. A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
3. Know when it applies. All organisations must be in compliance by May 2018.
Snooze and you will lose
In early 2017, a study by Mailjet found that only 17 per cent of respondents have taken all of the recommended steps towards GDPR compliance, while the same proportion admit they have not enacted any such checks or changes.
Do not ignore GDPR, the regulations apply to any company doing business in Europe and any enterprise that handles personal information for European citizens.
Compliance with GDPR will be a slow and laborious process for many multinational enterprises.
GDPR becomes law on May 25, 2018. Miss the deadline and you will pay a BIG price.
Patrick Kerpan, co-founder and CEO, Cohesive Networks
By: Margaret Valtierra